Many embedded system devices, especially those used in critical infrastructure applications, are easily accessible (i.e. have poor physical security) and can be tampered with or altered such that the integrity and authenticity of the devices cannot be assured. Once the device is sold or deployed, malicious circuitry (aka intruder) may be installed by an adversary. The intruder may be installed to be coupled to a communication bus and include circuitry to read or control the communication bus. Information or protocols of the communication bus may be learned by the intruder and subsequently be delivered to the adversary. Given the possibility of an intruder being installed on a device that requires security, it would be desirable to be able to detect an intruder installed on a device and take action based on detecting the intruder.